≡ Menu

Ubuntu / Debian Linux: Setup An ISC DHCP Server For Your Network

How do I setup a DHCP server for my local area network (LAN) using Debian Linux 6 or Ubuntu Linux server running on my IBM hardware?

The Dynamic Host Configuration Protocol (DHCP) allows clients such as desktop, laptop, and mobile devices to request and obtain an IP address and many other parameters from a server.

ISC’s DHCP server software

ISC’s DHCP software is the most widely used open source DHCP implementation on the Internet. The same software can be used for LAN too. It is a carrier and enterprise grade solution to your host configuration needs.

Installing the DHCP server

Type the following apt-get command as root user to install the DHCP server:
# apt-get install isc-dhcp-server
Sample outputs:

Reading package lists... Done
Building dependency tree
Reading state information... Done
Suggested packages:
The following NEW packages will be installed:
0 upgraded, 1 newly installed, 0 to remove and 11 not upgraded.
Need to get 0 B/411 kB of archives.
After this operation, 938 kB of additional disk space will be used.
Preconfiguring packages ...
Selecting previously deselected package isc-dhcp-server.
(Reading database ... 281728 files and directories currently installed.)
Unpacking isc-dhcp-server (from .../isc-dhcp-server_4.1.1-P1-15+squeeze8_amd64.deb) ...
Processing triggers for man-db ...
Setting up isc-dhcp-server (4.1.1-P1-15+squeeze8) ...
Generating /etc/default/isc-dhcp-server...
Starting ISC DHCP server: dhcpdcheck syslog for diagnostics. ... failed!
invoke-rc.d: initscript isc-dhcp-server, action "start" failed.

Configure the DHCP server

The configuration file for dhcpd is called /etc/dhcp/dhcpd.conf. The file comes with a number of global configuration options. Type the following command to edit the file:
# vi /etc/dhcp/dhcpd.conf
You must prevent the DHCP server from receiving DNS information from clients, set the following global option (this is a security feature):

ddns-update-style none;

You need to set your domain name and name server:

## Set a domain name for your LAN ##
option domain-name "nixcraft.net.in";
## Set DNS server IP address, you can set to your ISP's dns server too or use Google DNS server##
option domain-name-servers,;

Increase the lease time. The time is set in seconds:

### Set the length in seconds that will be assigned to a lease if the client requesting the lease does not ask for a specific  expiration time.   ##
### This is used for both DHCPv4 and DHCPv6 leases (it is also known as the "valid lifetime" in DHCPv6). ###
default-lease-time 86400;
## Set the maximum length in seconds that will be assigned to a lease ##
max-lease-time 604800;

The authoritative directive should be uncommented:


The authoritative directive indicate that the DHCP server should send DHCPNAK messages to misconfigured clients. If this is not done, clients will be unable to get a correct IP address after changing subnets until their old lease has expired, which could take quite a long time. Finally, update the configuration file with your subnet as follows:

subnet netmask {
        ## dhcp start  and end IP range ##
        option subnet-mask;     ## subnet 
        option broadcast-address; ## broadcast
        option routers; ## router IP


  1. subnet netmask { – The subnet statement is used to provide dhcpd with enough information to tell whether or not an IP address is on that subnet. It may also be used to provide subnet-specific parameters and to specify what addresses may be dynamically allocated to clients booting on that subnet. Such addresses are specified using the range declaration. In this example is the subnet-number and should be an IP address or domain name which resolves to the subnet number of the subnet being described. The netmask should be an IP address or domain name which resolves to the subnet mask of the subnet being described. The subnet number, together with the netmask, are sufficient to determine whether any given IP address is on the specified subnet.
  2. range; – For any subnet on which addresses will be assigned dynamically, there must be at least one range statement. The range statement gives the lowest and highest IP addresses in a range. All IP addresses in the range should be in the subnet in which the range statement is declared. is the starting IP address and is the ending IP address in this pool.
  3. option subnet-mask; – Use this subnet-mask.
  4. option broadcast-address; – Use this broadcast address.
  5. option routers; – Use this gateway address i.e. the address of your router connected to the Internet.

Save and close the file. To

Securing the DHCP server

Disable the dynamic DNS:

ddns-update-style none;

Set Deny decline messages to avoid DoS attack againest your dhcp server. The client device can send DHCPDECLINE message many times that can exhaust the DHCP server’s pool of IP addresses, causing the DHCP server to forget old address allocations:

deny declines;

Disable support older BOOTP clients:

deny bootp;

You must set valid and correct values for all the following operational directives. If you are not using NIS domain or ntp server, make sure the following options are not defined.

## see dhcpd.conf man page for more info on the directives ##
option domain-name
option domain-name-servers
option nis-domain
option nis-servers
option ntp-servers
option routers
option time-offset

In most cases you only need domain-name, domain-name-servers, and routers directives and rest should be removed to minimize information served by the dhcp server.

How do I configure iptables to allow access to the DHCP server?

Edit your iptables scripts and add the following lines

## Make sure you use an appropriate network block,  ##
## and network mask, representing the machines on your ## 
## network which should operate as clients of the dhcp serve. ##
## Syntax: ##
## /sbin/iptables -A INPUT -s net/mask -i $LAN_IFACE -p udp --dport 67:68 --sport 67:68 -j ACCEPT ##
## Adjust rules as per your setup ##
/sbin/iptables -A INPUT -s -i eth0 -p tcp --sport 68 --dport 67 -j ACCEPT
/sbin/iptables -A INPUT -s -i eth0 -p udp --sport 68 --dport 67 -j ACCEPT

A slightly different configuration for an internal subnet

The following is a special subnet that allows to pxe network booting using tftpd server at (please note that you need to install and configure tftpd server separately):

subnet netmask {
  ## openbsd pxe boot file ##
  filename "openbsd/pxeboot";
  ## Debian 6 pxe boot file ##
  ## filename "debian6/pxelinux.0";
  ## Freebsd pxe boot file ##
  ## filename "freebsd/pxeboot";
  ## our boot server ##
  option subnet-mask;
  option broadcast-address;
  option routers;

How do I add BOOTP support?

Each BOOTP client must be explicitly declared in the dhcpd.conf file.

## bootp my headless home router ##
host router {
     hardware ethernet 08:00:2b:4c:59:23;
     filename "debian6/pxelinux.0";
Recommend readings:
Share this tutorial on:
This entry is 1 of 3 in the Debian / Ubuntu Linux DHCP+TFTPD Netboot Server Tutorial series. Keep reading the rest of the series:
  1. Setup An ISC DHCP Server For Your Network
  2. Setup A TFTPD-HPA Trivial File Transfer Protocol Server
  3. Example: Install OpenBSD Using PXE
{ 17 comments… add one }
  • Logicos November 28, 2012, 10:11 pm

    1) “netfilter” can’t stop DHCP requests.
    2) “dig” is the best tools for DNS debugging


  • Jalal Hajigholamali November 29, 2012, 3:55 am


    Thanks for very nice article

  • tim December 1, 2012, 3:12 pm

    nice write up. question, so this is possible even if you already have an existing DHCP server? I want to use this along with TFTP for a PXE test setup.

    • nixCraft December 1, 2012, 8:20 pm

      Yes, you can use this with existing dhcp provided that you can modify the configuration.

  • dave January 29, 2013, 11:05 am

    thanks for a very nice article as usual :)
    I have a question: is there a simple dhcpd.leases file parser for cli? At least to get stats about used and free leases..
    I was using dhcpstatus but apache2 started crashing.. dhcpstatus is old now and is web based, which I don’t need.. cli would be fine :)

  • beastie January 30, 2013, 2:17 pm

    Your iptables rules look incomplete.
    It would be good to mention the /usually/ UDP is used, and this is why you don’t see the TCP part very often. /etc/services says 67/tcp is bootps so I guess it is.

    The first DHCP messages use the addresses and
    Your rules only cover DHCP renewal.

    In addition, I think iptables does not keep state by default, so you need another rule for replies. (I think your rules accepts DHCP reqs, but replies may be blocked depending on your other iptables rules).

  • bekota April 22, 2013, 2:17 pm

    merci pour le tuto si on veut utiliser le dhcp et le tftp dans un mm serveur comment on fait les configuration

  • Mohammad June 5, 2013, 10:40 am

    thanks ?

  • vipzrx June 20, 2013, 8:51 am

    range; – For any subnet on which addresses will be assigned dynamically, there must be at least one range statement. The range statement gives the lowest and highest IP addresses in a range. All IP addresses in the range should be in the subnet in which the range statement is declared. is the starting IP address and is the ending IP address in this pool.

    range;——》 range

  • kristijan June 21, 2013, 12:46 pm

    Tnx, very helpful article !

  • abhay June 4, 2014, 8:14 pm

    Thx, finally configure my dhcp server.

  • Surfer October 31, 2014, 3:45 pm

    How do i make if i want to autostart dhcp server at boot time ?

  • ali November 26, 2014, 4:41 am


  • happen23 September 14, 2015, 7:23 am

    this post helps me a lot!
    I use -t option to test my dhcpd.conf and found “interface name too long” problem
    then I fix that by add link config entry in /etc/network/interfaces
    thank you!

  • Martin Muiru October 29, 2015, 7:28 pm

    I can’t hide my joy and praises to Vivek Gite. The guy who wrote this article. With very little knowledge in Linux and DHCP I have finally succeeded in doing exactly what I wanted. Thank you very much Vivek Gite! I wish you Almighty God’s Blessings!

  • Andrew Jones January 19, 2016, 5:21 am

    After all these years, it seems ISC DHCP Server still doesn’t have a build-in parser for the dhcpd.leases file. Annoying! micro DHCP (a light-weight version built in to busybox) has the “dumpleases” utility. But alas, we are left without.

  • med June 15, 2016, 12:37 am

    best one , thaaaanx very very mutch , that was helpfull !

Security: Are you a robot or human?

Leave a Comment

You can use these HTML tags and attributes: <strong> <em> <pre> <code> <a href="" title="">

   Tagged with: , , , , ,